First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

PIPEDA

Privacy law: The Supreme Court of Canada’s Royal Bank of Canada v. Trang

The Supreme Court of Canada released a landmark decision giving important guidance on when personal financial information may be disclosed under Canada’s federal privacy law, the Personal Information Protection and Electronic Documents Act.

 

, , , , , ,

Cybersecurity best practices for connected cars

Some of the most significant concerns with connected vehicles are cybersecurity and privacy protection. These concerns were the main impetus behind the creation in the US of the Auto Information Sharing and Analysis Centre (ISAC) by a group of US automakers in July of 2014. The group allows its members to share information about threats and vulnerabilities, conduct analysis and develop industry solutions. The Auto ISAC has now released its “Automotive Cybersecurity Best Practices”.

 

, , , , , , , , , , , , , , ,

Public Safety Canada calls for submissions on new national cybersecurity strategy

On August 16, 2016, Public Safety Canada (“PSC”) issued a consultation paper, launching a public consultation as part of PSC’s development of an updated national cybersecurity strategy. The consultation will close on October 15, 2016. Businesses may want to consider making submissions in respect of some key questions posed around possible regulation or standard-setting regarding Internet of Things and connected devices, certification for E-commerce activities, and information sharing (especially in respect of critical infrastructure).

 

, , , , , , , , , , , , , ,

Pension and benefit plan provider breaches privacy law causing employee to lose life insurance coverage

Many of us have called service providers to change basic information, such as a mailing address. You pick up the phone, speak to a representative, and the change is made; no big deal, right? This seamless scenario may not always be the case. Any little misstep on an organization’s part can cause grief not only for the customer, but also for the organization itself. This proved to be true when an employee complained, to the Office of the Privacy Commissioner of Canada, that her employment pension and benefit provider disclosed her personal information to a third party without her consent.

 

, , , , , , , , , , ,

U.S. online payment processor Dwolla fined $100,000 for misrepresenting data security practices: Lessons for Canadian companies

In March, 2016 the U.S. Consumer Financial Protection Bureau (“CFPB”) issued a Consent Order against Dwolla Inc., an online payment platform, for deceiving consumers about its information security practices. The CFPB levied a $100,000 civil monetary penalty against the company, a first for the CFPB. While Canada has different privacy and consumer protection regimes, the lessons from the Dwolla case point to a new direction in enforcement approaches.

 

, , , , , , , , , , , , , ,

Private right of action under Canada’s Anti-Spam Law (CASL)

As of July 1, 2017, individuals and organizations will be entitled to institute a “private right of action” before the courts against those that contravene certain provisions of Canada’s Anti-Spam Law (“CASL”). In the event of a contravention of the message rules in CASL, a monetary penalty up to a maximum of $1,000,000 per day may be imposed. This private right of action should be taken seriously right now. From this perspective and building on previous publications, this bulletin discusses this new mechanism.

 

, , , , , , , , ,

Attempt to fix email issue causes privacy issue

A recent privacy complaint was filed against a telecommunications company under PIPEDA regarding frequent email problems.

 

, , , , , , , ,

New PIPEDA data breach regulations proposed

On March 9, 2016 the Department of Innovation, Science and Economic Development Canada released a discussion paper on the new data breach regulations being proposed. The Ministry is accepting public submissions until May 31, 2016 on the proposed Data Breach Notification and Reporting Regulations.

 

, , , , , , , , ,

Ransomware threat to Canadian businesses broadens

Recent hacker attacks — including the first successful attack on an Apple computer, and several attacks on U.S. and Canadian hospitals — have reminded Canadian businesses of the need to be vigilant about the danger posed by ransomware.

 

, , , , , , , , , , , , , , ,

Phone companies after R v. Rogers: Constitutional guardians or agents of the State?

People love their phones. Phones now accompany us pretty much wherever we go, whatever we do. People use their phones in church, in restaurants, at the theatre, and, apparently, while committing crimes. And our phones are leaving a trail behind us.

Police know this. They also know that records are created every time our phones connect to cell towers to send and receive calls, SMS messages, or data. Every one of those records indicates that a phone (and, implicitly, the person carrying it) was in range of a particular cell tower, at a particular time.
This could be useful information if, say, one wanted to identify the person (or people) responsible for a string of jewelry store robberies.

The method will be familiar to many from movies and T.V. shows: all you need to do is to gather a list of every single person who was near each of the locations of interest at the time of interest and analyze the patterns. And, hey, that cell tower data can provide that list….

But is it legal?

 

, , , , , , , , , , ,

Federal Court affirms strict compliance with PIPEDA for employers

The Federal Court recently underscored the importance of compliance with the requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA) in a decision that applies only to federal works and undertakings subject to the Act.

 

, , , , , , , , , ,

Businesses should re-evaluate approach to privacy with passage of Digital Privacy Act

The Digital Privacy Act (Bill S-4) passed into law, introducing (among other things) significant fines and mandatory breach notification (not yet in force) into the Personal Information Protection and Electronic Documents Act (PIPEDA). Organizations which handle personal information in the course of their commercial activities will want to undertake a review of their privacy policies […]

 

, , , , , , , ,

Bill C-13: Lawful access and the relationship between organizations, cyber-bullying and the protection of privacy rights

On December 9, 2014, Bill C-13, An Act to amend the Criminal Code, the Canada Evidence Act, the Competition Act and the Mutual Legal Assistance in Criminal Matters Act (Act) – also known as the Protecting Canadians from Online Crime Act –, received the royal assent. The Act came into force on March 9, 2015.

 

, , , , , , , , , , , , , , , ,

Cyber-insurance: What you need to know?

A question that I often get from clients is one about cyber-insurance. In light of the recent passing of Bill S-4, better known as the Digital Privacy Act, the Personal Information Protection and Electronic Act has now been amended to include mandatory breach notification provisions. While these mandatory breach notification provisions are not yet in force, it is a good time to review your cyber-insurance coverage.

 

, , , , , , , , , , , , , , , , , , , , , , , ,

Marketing compliance news

E-commerce offers tremendous opportunities for non-profits. Large advertising budgets are no longer necessary to reach a broad audience. Volunteers can be more easily coordinated, charitable receipts issued relatively inexpensively, special events registration managed with far less human intervention required. This is all good news for non-profits. But along with this new e-reality have come new e-headaches.

 

, , , , , , , , , , , , , , , , , , , , ,

Previous Posts